RansomHouse
Ransomware-as-a-service group; claimed Trellix source-code breach in April 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
What can attackers do with Trellix source code that RansomHouse now holds?
Timeline for RansomHouse
Claimed the Trellix source-code compromise occurred on 17 April without publicly releasing data
Cybersecurity: Threats and Defences: Trellix discloses 21-day-old breach of source-code repository- Has RansomHouse released the Trellix source code?
- As of 8 May 2026, RansomHouse had not publicly released any data from the Trellix breach. Trellix confirmed the compromise but stated no data had appeared publicly.Source: Trellix disclosure
- Who are RansomHouse's previous victims?
- RansomHouse has targeted large enterprises in healthcare, manufacturing, and critical infrastructure since 2022. The group focuses on data extortion rather than encryption-based ransomware.
- Why is the Trellix source-code breach significant for UK security?
- Trellix provides security software to UK Government departments and critical national infrastructure operators. Access to source code could expose detection gaps or vulnerabilities in the sensors protecting those networks.Source: Trellix
- How does RansomHouse differ from other ransomware groups?
- RansomHouse focuses on data theft and extortion rather than deploying file-encrypting ransomware. The group exfiltrates data and threatens public release rather than disabling systems.
Background
RansomHouse is a ransomware-as-a-service (RaaS) operation that emerged in 2022 targeting large enterprises across critical sectors. On 17 April 2026, the group accessed part of Trellix's source-code repository, with Trellix disclosing the breach publicly on 8 May — a 21-day intrusion-to-disclosure gap. No data has been released publicly.
RansomHouse distinguishes itself from conventional ransomware operators by focusing primarily on data theft and extortion rather than encryption-based disruption. The group typically exfiltrates sensitive data and threatens publication on its leak site to pressure victims into payment. Unlike many RaaS operations, RansomHouse has claimed not to deploy encryptors directly but instead relies on affiliated access brokers or leverages existing vulnerabilities.
The Trellix compromise is operationally significant because Trellix produces security software used by UK Government departments and CNI operators. Source code access could reveal detection signatures, sensor blind spots, or undisclosed vulnerabilities in a product used by the targets RansomHouse and its clients typically pursue. The 21-day disclosure gap also places the incident outside the 24-hour initial-notification window proposed by the UK Cyber Security and Resilience Bill.